By now, you have most likely heard about the upcoming transition to AS9100:2016(D) and the 9110/9120 equivalents. As with any change, this one has its fair share of rumors and opinions.
Before we get into what has changed, let’s talk about why the change came to be. The 9001:2008 standard was due for revision, and, as the base document for the AS91XX-series, a change to the ISO document resulted in a change to the AS documents. Additionally, another key ISO document (ANNEX SL) was released to provide a more consistent layout to all quality management system standards, making their future integration easier. This changes the structure from the familiar eight-clause approach to a new ten-clause layout, with topics being rearranged into new locations.
A stakeholder survey, executed within the “prime” tier of the aerospace sector, was used to drive a bulk of the remaining modifications. This user feedback was instrumental in ensuring the continued relevance and acceptance of the standard. Although there were changes, do not fret as these items are probably consistent with contract flow-downs that have been embedded into customer purchase orders for the past few years and are likely not new requirements for your organization. As an example, the counterfeit parts/suspect unapproved parts clauses are new to the AS9100 document, but certainly not new to the industry.
As for the technical focus of the revised standard, numerous expectations were clarified, but few were added. Some of you are now shaking your heads and wondering how I could say that, given the inclusion of topics like risk-based thinking and human factors, but let me explain. This “new” concept of risk-based thinking is an example of further clarification of previously misguided expectation. The former language of preventive action was used to describe a methodology for evaluating potential problems and defining actions to prevent these potentials from becoming a reality. The record requirements, under the old standard, were a bit more cumbersome than needed, and, as a result, companies would often neglect entering these records into their formal system. Alternately, a misguided interpretation was to incorporate “preventive action” into the corrective action methodology in order to prevent the recurrence of a problem. The problem is that based on the ISO 9000:2005 definition, the purpose of preventive action is to eliminate the cause of a POTENTIAL problem through PREVENTING the OCCURRENCE… a far cry from the sometimes perceived “preventing the problem from happening again” interpretation.
Regardless of what it is called, the concept does not change. Potential problems facing our products and processes are reviewed and mitigations are implemented through a systematic and controlled approach. AS9100C incorporated language that pointed to the widely recognized failure mode and effects analysis (FMEA) tool, but did not mandate its use. This approach, while sound, had often been limited to a product-centric focus, but the new standards clarify a need to evaluate/mitigate both product- and process-based risks facing the organization, and at multiple levels of the realization process (e.g. planning, contracting, design, procurement, manufacturing, etc.). The simplified requirements for maintaining associated “documented information” have again made it easier for organizations to take credit for the improvement actions/mitigations implemented.
Another “new” addition to the AS91XX:2016 document family is “human factors.” As a correction, this may be new to the 9100 standard, but it is certainly NOT a new requirement to the aerospace industry. In fact, this concept has been around for years and is often invoked through civil aviation authority requirements, contractually flowed down to aerospace suppliers. This concept seems—superficially—contrary to the historical approach of “people don’t fail, processes do,” but I respectfully disagree. Through my career, I have seen very few people that wanted to maliciously fail, but when people do fail, it is because the process was engineered such that it was easier to fail than to succeed. While considering human factors, it is important to understand how people can impact the process and consider engineering efforts to reduce or eliminate these potential or realized risks. Examples of these risks may include employee fatigue, employee stress, workstation layout, psycho-social influences, management pressures and similar factors. If these factors are considered while process engineering is addressed, the process will be far more robust and capable of delivering a sound “product.”
That said, there are some new requirements, but I do not see many of them being “out there.” Employee knowledge, as an example, is new to the standard (although it could be arguably described as a derivative of the historical competence requirements) and includes expectations of mandatory topics like ethical behavior. Again, I do not see this as a significant technical shift, and the tone of the document has certainly afforded the certified organization some leeway in methods used for implementation. Aerospace auditors are not the “ethics police,” and SHOULD simply audit the standard’s requirements against defined organizational methodology for conformance. As in the past, there is not a one-size approach for all organizations, and auditors must continue to objectively evaluate these methods. Frankly, auditors don’t always get it right, especially given a new standard, but that is exactly why certification bodies are required to have an appeals process. Do not be afraid to enact this—decisions do not always favor the auditor.
As we know, audits started after June 15, 2017, must be done to the new standard, despite the delays in document release. At this time, there is no anticipated relief to the implementation deadline of September 15, 2018. Even with this deadline, it is imperative that organizations complete internal transition efforts, complete auditing and obtain their new certificates well before this September 2018 deadline, as any certificate that has not been upgraded by that time will expire and the organization would be required to start over.
In summary, the standards have changed, but the technical magnitude of these changes is not exceptional and should not present an insurmountable hurdle for organizations to complete well before the September 2018 deadline.